Carnival Cruise offers free credit monitoring after data breach affects 6 million customers

Carnival Corporation, the world’s largest cruise company, is notifying customers after a major data breach exposed personal information belonging to nearly 6 million people. The company said it discovered unauthorized access to a limited part of its IT system in April after a social engineering attack targeted a single user account. Carnival said it quickly blocked the activity, brought in third-party security experts, and notified law enforcement.

In a notice filed with the Maine Attorney General’s office, Carnival said the incident affected 5,995,277 individuals. The company’s annual report states that it served about 13.5 million guests in 2025 across a fleet of 90 ships. Carnival’s portfolio includes Carnival Cruise Line, AIDA, Costa, Cunard, Holland America, P&O, and Princess Cruises.

According to Carnival, its investigation found that an unauthorized actor used deception to gain access to its system and illegally viewed certain personal information. The company said the review is ongoing and that it is conducting a thorough analysis to determine exactly what data was compromised. So far, Carnival says the impacted information includes names, email addresses, phone numbers, dates of birth, and driver’s license and passport numbers.

Carnival said it has already begun sending notification letters to affected customers. For U.S. residents, the company is offering two years of complimentary credit monitoring through its preferred third-party provider, TransUnion. It is also urging customers to monitor financial accounts and credit reports carefully and to contact local police if they suspect fraud or identity theft.

In an online FAQ for people who had not yet received letters, Carnival addressed questions about why notification took time. The company said incidents like this require careful investigation to identify the affected data, determine who it belongs to, and ensure notifications are accurate. Carnival said that once the breach was identified and contained, its focus shifted to fully investigating the event and contacting impacted individuals as soon as possible.

The breach has drawn frustration from some customers online, including on Reddit’s r/CarnivalCruiseFans forum, where users complained about the delay in notification and questioned how long their information may have been exposed. Some commenters said they would prefer compensation or cruise vouchers. Others referenced reports suggesting the company may have refused to pay ransom demands, though Carnival has not publicly confirmed any such details.

A hacking group known as ShinyHunters has reportedly claimed responsibility for the attack, but Carnival has not confirmed that allegation. The company has also not disclosed where the stolen data may have been shared or whether it was posted online.

Carnival said it has added new layers of security and monitoring to its systems and continues to strengthen its defenses against evolving cyber threats. The company said protecting customer privacy and security remains a top priority as it works through the aftermath of the breach.